From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1M2mOa-0000cI-Hd for garchives@archives.gentoo.org; Sat, 09 May 2009 13:15:17 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 17405E0366; Sat, 9 May 2009 13:15:15 +0000 (UTC) Received: from yx-out-1718.google.com (yx-out-1718.google.com [74.125.44.154]) by pigeon.gentoo.org (Postfix) with ESMTP id E6366E0366 for ; Sat, 9 May 2009 13:15:14 +0000 (UTC) Received: by yx-out-1718.google.com with SMTP id 36so5923556yxh.46 for ; Sat, 09 May 2009 06:15:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=DeoJmaZ1hOcXojO7/rCdHXCJ2yiLlwz9B7xP42nEK7E=; b=la8diuyaLtuWldoeKDp7Rd7sVbRYIuZ1gnQzXQ4ShK6V7cphyjAIAGKu7DhplW+3mB ErVbY/bAw2TFaB1UmiT8Y7lWFiz+FStSXrk3yeG4eUnMo2oQ72doGwa4c5wHC1sm98qF KRoZiNSQZFQSl1CKz7VeYLLRPnNZZErTFQU3Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=ucQ+LT8lWe32+8ciBXD302vmegkCM1xp1f82YiUoKDAtKGGorP7ud5HFk3n6ELOH2f Eq3HnGgf204qw4EjgWe+0ZmIY1KCFMVtJEioIw0/WvMDa4MET8V6TCIhb8Cl86M8erI4 jTMpin6iJ4McG5x6aQLbUtIF7bSNXh2dC0UTg= Received: by 10.100.165.3 with SMTP id n3mr11245838ane.111.1241874914592; Sat, 09 May 2009 06:15:14 -0700 (PDT) Received: from ?64.89.169.172? (r169h172.dixie-net.com [64.89.169.172]) by mx.google.com with ESMTPS id c1sm3255730ana.7.2009.05.09.06.15.12 (version=SSLv3 cipher=RC4-MD5); Sat, 09 May 2009 06:15:14 -0700 (PDT) Message-ID: <4A0581DD.8020902@gmail.com> Date: Sat, 09 May 2009 08:15:09 -0500 From: Dale User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.21) Gecko/20090502 SeaMonkey/1.1.16 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: /boot or not /boot (was Re: [gentoo-user] can't stop the panic on eeepc) References: <73087.60162.qm@web31607.mail.mud.yahoo.com> <200905091441.44936.dirk.heinrichs@online.de> <4A057B2F.9050804@gmail.com> <200905091454.22915.dirk.heinrichs@online.de> In-Reply-To: <200905091454.22915.dirk.heinrichs@online.de> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 19c43773-edec-4e2c-a63e-56f52f681455 X-Archives-Hash: 4fc8f3b6f38f6582373d211ea38531d4 Dirk Heinrichs wrote: > Am Samstag, 9. Mai 2009 14:46:39 schrieb Dale: > > >> Wasn't there a security reason for this setup at one time? If you put >> /boot on a separate partition, then the only time it needed to be >> mounted was to update the kernel or edit grub/lilo. That was what I was >> reading when I installed Gentoo oh so many ages ago. >> >> Is this still true? >> > > Of course, it needs to mounted rw for the few seconds needed to discover the > LVs, ask the user for the passphrase and create the dmcrypt mapping. Then it's > unmounted again and remounted ro during normal system boot. I don't consider > this a security problem. If it was, I could also stop using Linux altogether, > since there are also other filesystem on my system which need to be mounted rw > if the system should do something useful. > > Bye... > > Dirk > I was talking about with just a plain file system. I read in a install guide somewhere when I was installing ages ago that having /boot on a separate partition, and not always mounted, was a good security practice. That way no one could alter the kernel since it was not mounted. I do agree that if a person was on the system and able to get root access, they could them mount the /boot partition as well. I never was really sure why this was thought to work. I used a separate /boot because for a while I was dual booting Mandrake and Gentoo. Old habit now I guess. Dale :-) :-)